Prerequisites

The DB engine versions and editions that support SSL encryption are as follows:

All SQL Server versions and editions

MySQL 8.0 High-availability Edition

MySQL 5.7 High-availability Edition

MySQL 5.6

Precautions

The validity period of an SSL CA certificate is one year. You must renew the validity
period of the SSL CA certificate in your application or client within one year. Otherwise,
your application or client that uses an encrypted network connection cannot connect
to RDS properly.

SSL encryption increases CPU usage. Therefore, we recommend that you enable SSL encryption
only for public endpoints when required. In typical cases, private endpoints do not
require SSL encryption.

SSL encryption cannot be disabled once it is enabled for an RDS for SQL Server instance.

.pem file: used to import CA certificate files in other systems or applications.

.jks file: used to import link CA certificate files in Java-based applications. The
.jks file is stored in the TrustStore of Java.

Note When you use the .jks file in JDK 7 or JDK 8, you must modify the default JDK security
configuration. Specifically, you must find the jre/lib/security/java.security file on the server where the database you want to access through SSL is located,
and then reconfigure the file as follows:

If you do not modify the JDK security configuration, the system reports errors similar
to the following:

javax.net.ssl.SSLHandshakeException: DHPublicKey does not comply to algorithm constraints

Configure the SSL CA certificate

After SSL encryption is enabled, you must configure the SSL CA certificate for your
application or client when connecting to RDS. This section uses MySQL Workbench as
an example to describe how to install the SSL CA certificate.

Start MySQL Workbench.

Choose Database > Manage Connections .

Select If avaliable from the Use SSL drop-down list.

In the SSL CA File field, click .... Then, select the .pem file.

Renew the validity period of the SSL CA certificate

NoteThis operation causes your RDS instance to restart. You must make proper service arrangements before
this operation.